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Abstract 

Byzantine Agreement introduced in [Pease, 
Shostak, Lamport, 80] is a widely used building 
block of reliable distributed protocols. It sim- 
ulates broadcast despite the presence of faulty 
parties within the network, traditionally using 
only private unicast links. Under such condi- 
tions, Byzantine Agreement requires more than 
2/3 of the parties to be compliant. [Fitzi, Mau- 
rer, 00], constructed a Byzantine Agreement pro- 
tocol for any compliant majority based on an ad- 
ditional primitive allowing transmission to any 
two parties simultaneously. They proposed a 
problem of generalizing these results to wider 
channels and fewer compliant parties. We prove 
that 2/ < kh condition is necessary and suffi- 
cient for implementing broadcast with h compli- 
ant and / faulty parties using /c-cast channels. 

1 Introduction 

Broadcast primitives play a special role in multi- 
player game theory as an integral component in 
the fault-tolerant implementation of game proto- 
cols. Given a compliant majority, broadcast and 
private channels are sufficient to simulate any 
multi-party computation [Rabin, Ben-Or, 89], 
based on [Goldreich, Micali, Wigderson, 87], and 
[Ben-Or, Goldwasser, Wigderson, 88]. With ad- 
ditional primitives, such as private and oblivious 
transfer channels, even a majority of faulty par- 
ties can be tolerated [Beaver, Goldwasser, 89], 
[Goldwasser, Levin. 90]. 
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Since reliable hardware solution is a strong as- 
sumption, Byzantine Agreement protocols simu- 
late broadcast on networks with faulty parties. 
Given only private channels, Byzantine Agree- 
ment is possible if and only if faulty parties are 
in a < 1/3 minority ([Pease, Shostak, Lamport, 
80]). For this reason, protocols tolerant to more 
faults generally assume broadcast as a primitive. 

Various hardware assumptions and communi- 
cation goals were studied in the literature. For 
instance, [Angluin 80], [Goldreich, Goldwasser, 
Linial 91], [Franklin, Yung 95] and other pa- 
pers studied problems of private communication 
on an incomplete broadcast network. [Franklin, 
Wright 98] showed that such a network with p 
disjoint paths from sender to receiver could tol- 
erate < p/2 faulty parties. [Wang, Desmedt 01] 
showed that < p faulty parties could be handled 
with probabilistic reliability. 

The broadcast primitive is rather special in 
that, unlike other common primitives, it involves 
an unlimited number of parties. This suggests 
exploring the power of a limited version of broad- 
cast, with a constant number of recipients. As- 
suming any compliant majority, [Fitzi, Maurer, 
00] used a 3-party broadcast primitive to simu- 
late full broadcast. They asked what fraction of 
compliant parties would be required given wider 
broadcast primitives. This is especially interest- 
ing in view of results (e.g. [H ^J) that con- 
vert arbitrary protocols into equivalent ones with 
added tolerance to any faulty majorities, assum- 
ing the availability of broadcasts and two-party 
primitives, such as oblivious transfer and private 
channels. We show that broadcast with h com- 
pliant and / faulty parties can be implemented 
using /c-cast channels if and only if 2/ < kh. 



1 



2 Definitions and Results 

Definition 1 A k-cast channel is a primitive 
for authenticated reliable communication to k 
parties. To use it, one party, the sender, selects 
k recipients, and a message m. Each recipient 
gets m, as well as the identities of the sender and 
the other recipients. 

Definition 2 A protocol is an algorithm used in 
rounds by several communicating parties. Each 
party starts with an input appended with its and 
other parties' identities. At each round, parties 
can k-cast messages to be used by the recipients 
as inputs for the next round. Besides the al- 
gorithm, the interaction is affected by the Ad- 
versary who selects the initial inputs of all par- 
ties and assigns, possibly with restrictions, their 
loyalties, i.e., chooses a subset of faulty parties 
and replaces their communications ( inputs, mes- 
sages, and outputs) by data of its choice. 

Definition 3 Byzantine agreement is a broad- 
cast simulating protocol. The party 's value is its 
output for a recipient or input for the sender. 
The protocol succeeds if the values of non-faulty 
(compliant) parties are all identical. 

Theorem 1 Byzantine agreement protocols for 
h compliant and f faulty parties using k-cast 
channels exist if and only if If < kh. 

2.1 Broadcast and Consensus 

In a traditional consensus model, each party 
starts with an input value. After running a con- 
sensus protocol, all compliant parties output val- 
ues consistent with each other and with an input 
of at least one compliant party. With a com- 
pliant majority, consensus is easily shown to be 
equivalent to broadcast. To achieve consensus, 
each party broadcasts its value to the others who 
then output the majority value. To broadcast, 
the sender sends its input to all parties, who then 
run a consensus protocol on the values received. 



This equivalence fails when the majority is 
faulty. The Adversary gives inputs and 1 to an 
equal number of parties. They all run the pro- 
tocol faithfully. The Adversary defeats the con- 
sensus by keeping compliant some parties with 
different outputs or declaring faulty all parties 
whose inputs match the uniform output. 

One can generalize the consensus model, by 
assuming each party to have not just one input 
or output value but rather a distribution, i.e., 
a value for each A;-node set he belongs to. All 
compliant members of the set get the same input 
value for it. All output values of compliant par- 
ties must agree with each other and with at least 
one input of a compliant party. This model can 
simulate broadcast after the sender distributes 
his input, i.e., fc-casts it to all fc-node sets. 

3 Proof of the Lower Bound 

3.1 Big Rings and Chains 

The Adversary's ability to defy the agreement 
will depend on having enough parties to build 
a big ring. A (k,h)-ring is a set of k + 2 or 
more clusters of parties where the clusters are 
arranged in a cycle, with at least h parties in 
any two adjacent clusters. These bounds assure 
that no message can be sent to all clusters, and 
all compliant parties can fit in any two adjacent 
clusters. Adding up parties in all pairs of consec- 
utive clusters, we get (k+2)h or more, counting 
each party twice. So, to build the ring, the Ad- 
versary needs f + h> (k + 2)h/2 parties, which 
means 2/ > kh. A (k, h)-img could be opened 
into a (A:, h)-chain by duplicating all nodes in the 
sender's cluster S, creating two clusters, So and 
Si. 

3.2 The Adversary Strategy 

The Adversary defeats any protocol P if 2/ > 
kh. It arranges the parties into a (k, /i)-chain, 
duplicating the sender's cluster S as in sec- 
tion 13.11 One copy of S will end up being sim- 
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ulated by the adversary. Both copies play the 
same part in protocol P, receiving duplicate mes- 
sages from other clusters. The two copies of the 
sender get opposite inputs. The messages from 
S are generated by both copies, but one copy is 
intercepted by the Adversary as follows. 

Each transmission from S misses all parties in 
at least one other cluster. Discounting the left- 
most such cluster splits the chain into two sub- 
chains: Co and Ci. The Adversary will keep 
compliant two adjacent clusters, so either Co or 
Ci will have no compliant parties. Thus the Ad- 
versary can and does intercept the messages from 
S m to Ci_ m . 

With these restrictions on the Adversary, no 
messages or outputs depend on its choice of com- 
pliant parties. Since the values of the So and Si 
copies of the sender differ, there must be parties 
in adjacent clusters that disagree on their value. 
The Adversary defeats the protocol by choosing 
the conflicting clusters as compliant, corrupting 
all others. ■ 

4 Proof of the Upper Bound 

We describe a Byzantine protocol P/i for h com- 
pliant and / = \kh/2\ — 1 faulty parties. It 
can also run with fewer, n < h + f, parties, 
and is still guaranteed to succeed, provided all 
d = h+f—n missing parties are counted as faulty 
if the sender s (who will represent the missing 
parties) is faulty. P starts with s distributing 
its input, and uses the following concept of trust 
graphs. 

4.1 Trust Graphs 

A trust graph is formed by each party and links 
pairs of parties that report consistently inputs 
received from s by both. "Sender clusters" S m 
are added to the graph, each S m being a clique of 
1+d nodes connected to all recipients who report 
uniform inputs m. 

A pruning is then conducted as follows. Be- 
cause the h compliant parties must form a clique, 



edges not in cliques can be removed. Since 
cliques are hard to detect, we remove instead 
(until none left) edges (a, b) that do not belong to 
any bi-star i.e., an /i-node star with two centers 
a, b (adjacent to all its nodes). 

We use trust graphs to choose agreement val- 
ues. All compliant parties must be adjacent in 
the graph. If, in their respective graphs, com- 
pliant recipients have paths to a unique sender 
cluster, they may immediately output its value. 

Consider a path connecting nodes in S m with 
different m, say, So and S±. It must have more 
than k recipients. Otherwise there would be one 
fc-cast received by them all; since parties con- 
nected to S m claim this A;-cast was m, there must 
be some disagreement along this path. 

One can break So, Si and the recipients into 
clusters according to the distance from So, drop- 
ping nodes more distant than Si. They form a 
(k, /i)-chain, since every two consecutive clusters 
include an h-node bi-star. So, by section 13.11 a 
trust graph with a path between So and Si im- 
plies 2/ > kh. 

4.2 The Protocol 

Each party i distributes all messages Mi it re- 
ceived from s. Then all parties except s run P^ 
recursively to agree on Mj and form trust graphs 
based on the agreed Mj's. Let n be the minimal 
number of parties for which the guarantee for 
P/i can fail. Then the agreement on Mi succeeds 
unless s is compliant and i faulty 

Thus, the compliant parties always form a 
clique, and if s is not among them, the graphs 
are identical. Then each party with a path to 
S m outputs m, or 0, if no such paths exist. The 
agreement can fail only if a path connects both 
S m . As per Section ^. 11 this contradicts 2/ < kh. 
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